A large law firm was attacked by the Sodinokibi gang. What’s going on?

When a group of celebrities asks to speak to their lawyer, they usually don’t have to call a group of other people to speak to their lawyer. In this case, however, it may be a bit wrong. A large number of musicians, including Bruce Springsteen, Lady Gaga, Madonna, Run DMC and many others, had many documents stolen by the Sodinokibi gang.

Approximately 756 GB of files, including tour dates, music rights and correspondence, were stolen – some of these were published on a website accessible via TOR as proof of a self-adhesive design. The company in question is Grubman Shire Meiselas & Sacks, a major player that maintains enormous daily contacts with world stars. Although they relate to television stars, actors, athletes and many others, the only data listed online so far seems to relate to songwriters.


It is assumed that the data is displayed as a preview of future events; you pay a ransom, or the data is received (and by received we mean anything published online in a disastrous way). The Sodino bikib gang shouldn’t be afraid if the walls of Travelex collapsed not so long ago.

Hot Targets…

Law firms are becoming an important target for abusers because they recognise the value of the data they are dealing with. Crack, filter the files and then send ransom demands to show them that you have A) files and B) medium sized companies. If they refuse to pay, they drop the business and leave the inevitable slaughterhouse of reputation damage + compromised customers.

Who or what is Sodinokibi?

In short, a devastatingly successful criminal group with a penchant for ransom software, data theft and extortion. Popular as a service business model, the ransom rose sharply in May 2019, with increasing attacks on companies and (to some extent) consumers. Their ransom software has come a long way to fill the void left by the dismissal of the GandCrab group, and there were many small households until finally, at the end of July, there was a decline for both consumers and businesses.

Six versions of Sodinokibi were released between April and July alone, keeping the security industry and the targets on their feet for a very short period of time. Vulnerabilities, phishing campaigns with malicious links, malicious advertising and even compromised MSPs that help trigger a ransom wave. Besides, you should block the MSP completely.

Technical details of an attack?

It is a sensational story, and for various reasons those involved do not want to talk about it yet, especially in connection with the ongoing investigations. In this context, there is every reason to believe that they used the software to get ransom and that it was a targeted attack. How does the Sodinokibi buy-back program work at the moment?

Sodinokibi Acquisition statistics

It’s probably not part of a big spam wave. Our monthly consumer and company data show the last big jump of Ransom.Sodinokibi in December:

Sodinokibi drops the biggest hit collection, and crime is the secret ingredient-Malwarebytes Labs Monthly totals for 2019 and 2020.

From September to November 2019, the number of business discoveries ranged from 200 to 280, after which the number exploded to almost 7,000 in December. It fell rapidly to 260 in February 2020, up slightly from 1447 in April.

Meanwhile, consumers have come down a slightly more winding road, peaking at just over 600 in November 2019, with figures ranging from 293 in July 2019 to 228 in March 2020, and are generally low elsewhere (76 in August 2019, 70 in December 2019 and 109 in April 2020).

Finally, make sure your arsenal of redemptions is fully filled and ready to go when you sit down with many incredibly valuable pop documents or anything else. Whether it’s random attacks or targeted chaos, the end result remains the same: lots of headaches and lots of calls to the legal department.

Or, in this case, a lot of calls to the legal department.